A computer virus is malicious computer code consisting of a list of executable instructions. For purposes of this application, malicious computer code includes computer code commonly referred to as computer viruses, worms, Trojan horses, some forms of spam, spy-ware, and any other type of unauthorized or unsolicited computer code that appears in a computer without an authorized user's knowledge and/or without an authorized user's consent. Although not typically referred to as malicious computer code, spoofing, such as DNS or return address spoofing, may be the result of malicious computer code. Instructions from such code can often take the form of an executable file. Extensions for executable content vary from platform to platform and may include binary or scripting/macro forms. While the descriptions herein may use examples specific to the Windows® platform, their use is not intended to limit the present invention in any way. It is contemplated that the present invention is equally applicable to analogous mechanisms on other platforms. Malicious code of this type often has multiple objectives. One objective is typically to infect and disrupt the computer in which the malicious code resides. Such malicious code may destroy the contents of memory, corrupt data, display erroneous information, or relinquish control of the computer to a remote user. To accomplish this, the malicious code must be loaded into memory (RAM) and subsequently run.
A secondary and equally important objective of many malicious programs is to proliferate itself and spread to other computers. The most likely transmission media for this conveyance is the Internet. Malicious code can be transported to other unsuspecting computers as attachments to e-mails or instant messages sent from the infected computer. A worm is a piece of software that uses computer networks, social engineering, and/or security holes to replicate itself. Malicious code of this type exploits the computer's inherent networking capabilities. One class of worms is the e-mail worm. Such worms work by attaching a copy of the worm's executable code in the form of an .EXE file to an e-mail. The e-mail is then mailed to e-mail addresses contained in an address book or similar list found in the infected computer. Once sent, an unsuspecting user may open the e-mail, launch the attachment, and the process is repeated by subsequently infected computers when the e-mail attachment is executed.
To the recipient, the message and corresponding worm often appears to have been sent by a familiar source. As the worm targets addresses that are frequented by the computer's owner, e-mails of this type are not necessarily considered out of the ordinary by the recipient. The deception can be further enhanced by adding a suitably benign message to the e-mail. E-mail worms that require no action on the part of the recipient (such as opening the e-mail attachment) to install and activate the malicious code are especially threatening. For instance, some e-mail clients, such as Outlook Express™ and Outlook™, support a preview pane that displays the current selected message in a user's inbox in a small window on the screen. Such a preview can often result in execution of the attached malicious code and is often sufficient to install and activate a worm even if the user has not explicitly read the message.
The Melissa virus made spectacular use of the e-mail transport in 1999 when it quickly spread throughout the Internet. Melissa spread in Microsoft Word™ documents sent via e-mail. Anyone who downloaded the document and opened it triggered the virus. The virus then sent the document (and therefore the virus itself) in an e-mail message to the first 50 people in the user's address book. The e-mail message contained a deceptively friendly note that included the user's name, so the recipient would open the document thinking it was harmless. As a result, the virus then generated 50 new messages from the recipient's computer. In short order, the Melissa virus became the fastest-spreading virus of its day.
Likewise, in September of 2001 the NIMDA spread itself over email and through a number of other vectors. This virus took the form of an executable file (.EXE file) that, when executed, harvested email addresses from the victim's address book as well as from HTML (web page) and other files on the user's computer to identify new targets (the worm used many other unrelated techniques as well to find new targets). The NIMDA virus took advantage of a vulnerability found in Microsoft Outlook email software to auto-launch the worm when the user reads or previews the email; the worm will run without the user ever double-clicking on the infected attachment.
While many viruses rely on human activity to distribute the underlying code, a worm can transport itself from one computer to another without human intervention. For example, the Code Red worm replicated itself to over 250,000 vulnerable hosts in approximately nine hours in 2001. Worms of this type use up computer time and network bandwidth, and often possesses an underlying evil intent such as a denial-of-service goal. In response to this threat, many techniques have been developed to combat the spread and debilitating effects of malicious computer code. The first line of defense is to discover the malicious code upon its arrival and prevent it from replicating and propagating to other computers. Microsoft Corporation provides some of the most widely utilized e-mail and networking software in the world, and products such as Microsoft Outlook™ and Outlook Express™ are common both in business settings and in homes. Because of their popularity, and for a variety of other reasons, Microsoft's products are a popular target of the creators of malicious code. One of Microsoft's answers to this threat has been to isolate a user's contacts and associated e-mail addresses to prevent worms from easily transporting an undetected virus to other computers. By preventing the virus the ability to identify new targets, its effect is diminished. But, as computers store increasingly more information, e-mail addresses and other targeting information may be found in many different information sources around the computer beyond the typical e-mail address database. Worms no longer need to rely on a single source database to develop their new lists of victims.
The primary technique used to detect viruses and worms is signature-based detection. In this approach, the antivirus product maintains a database of thousands of fingerprints. To detect malicious software, the antivirus software searches for these fingerprints in files that are on the computer. Such signature-based technologies have advanced considerably over the past 15 years, and can even detect polymorphic and metamorphic (self mutating) threats. Despite these advances in virus detection, some new viruses are resistant to detection, and signature based detection has its limits. A fundamental limitation of signature-based virus detection is that, until the database of signatures is updated for a new virus, that virus will go undetected. As a result, such anti-viral software does not adequately ensure against infection or replication of new, fast spreading, and damaging viruses. It would therefore be desirable to prevent the transport of infected software code before it is recognized to contain malicious code and avoid one or more of the problems identified above.